Auteur: Chad Leigh Datum: Aan: Dean Brooks CC: exim-users Onderwerp: Re: [exim] UCEPROTECT Blacklists and why callouts are abusive
On Oct 17, 2006, at 6:30 PM, Dean Brooks wrote:
> On Wed, Oct 18, 2006 at 12:15:36AM +0100, Andrew - Supernews wrote:
>>>>>>> "Renaud" == Renaud Allard <renaud@???> writes:
>>
>> Renaud> In a perfect world we would need neither callouts neither
>> Renaud> blacklists as people wouldn't send spam in the first
>> Renaud> place. But we are not in a perfect world.
>>
>> Trying to block spam by using other people's resources without
>> permission is just as bad as sending spam.
>
> Just throwing in my opinion here, but I totally agree with Andrew on
> this one. Sender verification callouts without first ensuring the
> sender is sourcing from an authorized host (via SPF or other means) is
> essentially as bad as spamming. Those callouts are using resources
> that provide no benefit to the owner of the resources being used.
Yes they do provide benefit. They prevent prevent full-fledged DSNs
in some cases.
And when you advertise an MX record, ie, make yourself responsible to
the world for a specific email address, you are also volunteering to
guarantee that the address is a real address. You cannot have your
cake and eat it too.
>
> Anyone who has run a very active mail server will tell you that
> callouts can use *enormous* amounts of resources if amplified
> appropriately. Denial of service would be very easy with only a few
> sites doing callbacks and an agressive forger. The only reason this
> doesn't happen more often is very few sites use callouts (thankfully).
>
> People who use callouts should not complain if they end up getting
> blocked. If you use my server resources in a transaction where our
> organization or our customers receive no benefit, then you are
> commiting essentially the same ethical (if not legal) crime as a
> spammer.
No, that is not true. You are missing the point that you have
volunteered to be responsible for that email address which includes
proving it is a valid one to people who need to know.
YOU are responsible for what happens with your email address. If you
cannot stop spam users from forging it, then you have to provide a
means to verify if it is a legit address and do all you reasonable
can to protect people from mis-use. If you do all that you can to
prevent mis-use, then legitimate mis-use that is impossible to stop
can be excused. But only if you do all that you can.
Like owning a car. If you own a car and do not lock it, leave it
running with the keys in, etc and someone steals it and runs in to
someone else, it is very possible that you can be held responsible
because you did not do everything you could to safeguard your car and
prevent illegal access to it. However, if you leave it locked,
possibly garaged, and it is nevertheless stolen, you can use a valid
defense that you did all that you were expected to do to safeguard it.
That is part of the social compact of the internet.
Chad
---
Chad Leigh -- Shire.Net LLC
Your Web App and Email hosting provider
chad at shire.net
